

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  <meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />

  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>与 OpenStack Barbican 对接 &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/css/custom.css" type="text/css" />

  
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/jquery.js"></script>
        <script src="../../_static/_sphinx_javascript_frameworks_compat.js"></script>
        <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/doctools.js"></script>
        <script src="../../_static/sphinx_highlight.js"></script>
    
    <script type="text/javascript" src="../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../genindex/" />
    <link rel="search" title="Search" href="../../search/" />
    <link rel="next" title="HashiCorp Vault Integration" href="../vault/" />
    <link rel="prev" title="与 OpenStack Keystone 对接" href="../keystone/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    <div role="navigation" aria-label="Page navigation">
  <ul class="wy-breadcrumbs">
      <li><a href="../../" class="icon icon-home" aria-label="Home"></a></li>
          <li class="breadcrumb-item"><a href="../">Ceph 对象网关</a></li>
      <li class="breadcrumb-item active">与 OpenStack Barbican 对接</li>
      <li class="wy-breadcrumbs-aside">
            <a href="../../_sources/radosgw/barbican.rst.txt" rel="nofollow"> View page source</a>
      </li>
  </ul>
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../" class="icon icon-home"> Ceph
          

          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../start/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../install/">安装 Ceph</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephadm/">Cephadm</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rados/">Ceph 存储集群</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephfs/">Ceph 文件系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../">Ceph 对象网关</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../frontends/">HTTP 前端</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite/">多站配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../zone-features/">域的功能</a></li>
<li class="toctree-l2"><a class="reference internal" href="../placement/">存储池归置与存储类</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite-sync-policy/">多站同步策略配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pools/">存储池的配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../config-ref/">配置参考</a></li>
<li class="toctree-l2"><a class="reference internal" href="../admin/">管理指南</a></li>
<li class="toctree-l2"><a class="reference internal" href="../account/">用户账户</a></li>
<li class="toctree-l2"><a class="reference internal" href="../s3/">S3 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../iam/">IAM API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../rgw-cache/">数据缓存和 CDN</a></li>
<li class="toctree-l2"><a class="reference internal" href="../swift/">Swift API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../adminops/">管理操作 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../api/">Python 接口</a></li>
<li class="toctree-l2"><a class="reference internal" href="../nfs/">通过 NFS 导出</a></li>
<li class="toctree-l2"><a class="reference internal" href="../keystone/">与 OpenStack Keystone 对接</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">与 OpenStack Barbican 对接</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#keystone">配置 Keystone</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id1">创建 Keystone 用户</a></li>
<li class="toctree-l3"><a class="reference internal" href="#barbican">在 Barbican 里创建密钥</a></li>
<li class="toctree-l3"><a class="reference internal" href="#ceph">配置 Ceph 对象网关</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../vault/">与 HashiCorp Vault 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../kmip/">与 KMIP 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../opa/">与 Open Policy Agent 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multitenancy/">多租户</a></li>
<li class="toctree-l2"><a class="reference internal" href="../compression/">压缩</a></li>
<li class="toctree-l2"><a class="reference internal" href="../ldap-auth/">LDAP 认证</a></li>
<li class="toctree-l2"><a class="reference internal" href="../encryption/">服务器端加密</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bucketpolicy/">桶策略</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dynamicresharding/">动态的桶索引重分片</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mfa/">多因子认证</a></li>
<li class="toctree-l2"><a class="reference internal" href="../sync-modules/">同步模块</a></li>
<li class="toctree-l2"><a class="reference internal" href="../notifications/">Bucket Notifications</a></li>
<li class="toctree-l2"><a class="reference internal" href="../layout/">RADOS 中的数据布局</a></li>
<li class="toctree-l2"><a class="reference internal" href="../STS/">STS</a></li>
<li class="toctree-l2"><a class="reference internal" href="../STSLite/">STS Lite</a></li>
<li class="toctree-l2"><a class="reference internal" href="../keycloak/">Keycloak</a></li>
<li class="toctree-l2"><a class="reference internal" href="../session-tags/">Session Tags</a></li>
<li class="toctree-l2"><a class="reference internal" href="../role/">Role</a></li>
<li class="toctree-l2"><a class="reference internal" href="../orphans/">Orphan List and Associated Tooliing</a></li>
<li class="toctree-l2"><a class="reference internal" href="../oidc/">OpenID Connect Provider</a></li>
<li class="toctree-l2"><a class="reference internal" href="../troubleshooting/">故障排除</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw/">radosgw 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw-admin/">radosgw-admin 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../qat-accel/">使用 QAT 为加密和压缩提速</a></li>
<li class="toctree-l2"><a class="reference internal" href="../s3select/">S3-select</a></li>
<li class="toctree-l2"><a class="reference internal" href="../lua-scripting/">Lua Scripting</a></li>
<li class="toctree-l2"><a class="reference internal" href="../d3n_datacache/">D3N Data Cache</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cloud-transition/">Cloud Transition</a></li>
<li class="toctree-l2"><a class="reference internal" href="../metrics/">Metrics</a></li>
<li class="toctree-l2"><a class="reference internal" href="../uadk-accel/">UADK Acceleration for Compression</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bucket_logging/">桶的日志记录</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../monitoring/">监控概览</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/developer_guide/">开发者指南</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/internals/">Ceph 内幕</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../ceph-volume/">ceph-volume</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../security/">Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../hardware-monitoring/">硬件监控</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <section id="openstack-barbican">
<h1>与 OpenStack Barbican 对接<a class="headerlink" href="#openstack-barbican" title="Permalink to this heading"></a></h1>
<p>在<a class="reference external" href="../encryption">服务器端加密</a>中，可以用 OpenStack <a class="reference external" href="https://wiki.openstack.org/wiki/Barbican">Barbican</a> 作密钥管理服务。</p>
<img alt="../../_images/rgw-encryption-barbican.png" src="../../_images/rgw-encryption-barbican.png" />
<ol class="arabic simple">
<li><p><a class="reference internal" href="#keystone">配置 Keystone</a></p></li>
<li><p><a class="reference internal" href="#id1">创建 Keystone 用户</a></p></li>
<li><p><a class="reference internal" href="#ceph">配置 Ceph 对象网关</a></p></li>
<li><p><a class="reference internal" href="#barbican">在 Barbican 里创建密钥</a></p></li>
</ol>
<section id="keystone">
<h2>配置 Keystone<a class="headerlink" href="#keystone" title="Permalink to this heading"></a></h2>
<p>Barbican 靠 Keystone 实现密钥的授权和访问控制。</p>
<p>参考 <a class="reference external" href="../keystone">与 OpenStack Keystone 对接</a>。</p>
</section>
<section id="id1">
<h2>创建 Keystone 用户<a class="headerlink" href="#id1" title="Permalink to this heading"></a></h2>
<p>创建个新用户， Ceph 对象网关索取密钥时要用到。</p>
<p>例如：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">user</span> <span class="o">=</span> <span class="n">rgwcrypt</span><span class="o">-</span><span class="n">user</span>
<span class="k">pass</span> <span class="o">=</span> <span class="n">rgwcrypt</span><span class="o">-</span><span class="n">password</span>
<span class="n">tenant</span> <span class="o">=</span> <span class="n">rgwcrypt</span>
</pre></div>
</div>
<p>关于<a class="reference external" href="https://docs.openstack.org/admin-guide/cli-manage-projects-users-and-roles.html#create-a-user">管理项目、用户和角色</a>请参考 OpenStack 文档。</p>
</section>
<section id="barbican">
<h2>在 Barbican 里创建密钥<a class="headerlink" href="#barbican" title="Permalink to this heading"></a></h2>
<p>想知道<a class="reference external" href="https://developer.openstack.org/api-guide/key-manager/secrets.html#how-to-create-a-secret">如何创建密钥</a>请参考 Barbican 文档。向 Barbican 发起请求时，
<code class="docutils literal notranslate"><span class="pre">X-Auth-Token</span></code> 头必须携带合法的 Keystone 令牌。</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>服务器端的加密密钥必须是 256 位长、且用 base64 编码的。</p>
</div>
<p>请求实例：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">POST</span> <span class="o">/</span><span class="n">v1</span><span class="o">/</span><span class="n">secrets</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span>
<span class="n">Host</span><span class="p">:</span> <span class="n">barbican</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="p">:</span><span class="mi">9311</span>
<span class="n">Accept</span><span class="p">:</span> <span class="o">*/*</span>
<span class="n">Content</span><span class="o">-</span><span class="n">Type</span><span class="p">:</span> <span class="n">application</span><span class="o">/</span><span class="n">json</span>
<span class="n">X</span><span class="o">-</span><span class="n">Auth</span><span class="o">-</span><span class="n">Token</span><span class="p">:</span> <span class="mi">7</span><span class="n">f7d588dd29b44df983bc961a6b73a10</span>
<span class="n">Content</span><span class="o">-</span><span class="n">Length</span><span class="p">:</span> <span class="mi">299</span>

<span class="p">{</span>
    <span class="s2">&quot;name&quot;</span><span class="p">:</span> <span class="s2">&quot;my-key&quot;</span><span class="p">,</span>
    <span class="s2">&quot;expiration&quot;</span><span class="p">:</span> <span class="s2">&quot;2016-12-28T19:14:44.180394&quot;</span><span class="p">,</span>
    <span class="s2">&quot;algorithm&quot;</span><span class="p">:</span> <span class="s2">&quot;aes&quot;</span><span class="p">,</span>
    <span class="s2">&quot;bit_length&quot;</span><span class="p">:</span> <span class="mi">256</span><span class="p">,</span>
    <span class="s2">&quot;mode&quot;</span><span class="p">:</span> <span class="s2">&quot;cbc&quot;</span><span class="p">,</span>
    <span class="s2">&quot;payload&quot;</span><span class="p">:</span> <span class="s2">&quot;6b+WOZ1T3cqZMxgThRcXAQBrS5mXKdDUphvpxptl9/4=&quot;</span><span class="p">,</span>
    <span class="s2">&quot;payload_content_type&quot;</span><span class="p">:</span> <span class="s2">&quot;application/octet-stream&quot;</span><span class="p">,</span>
    <span class="s2">&quot;payload_content_encoding&quot;</span><span class="p">:</span> <span class="s2">&quot;base64&quot;</span>
<span class="p">}</span>
</pre></div>
</div>
<p>响应：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">{</span><span class="s2">&quot;secret_ref&quot;</span><span class="p">:</span> <span class="s2">&quot;http://barbican.example.com:9311/v1/secrets/d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723&quot;</span><span class="p">}</span>
</pre></div>
</div>
<p>响应中的 <code class="docutils literal notranslate"><span class="pre">d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723</span></code> 是密钥 id ，
可以用于任何 <a class="reference external" href="http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html">SSE-KMS</a> 请求。</p>
<p><code class="docutils literal notranslate"><span class="pre">rgwcrypt-user</span></code> 不能访问新创建的密钥，必须用 ACL 加上这个权限，
请参考<a class="reference external" href="https://developer.openstack.org/api-guide/key-manager/acls.html#how-to-set-replace-acl">如何设置、替换 ACL</a> 。</p>
<p>请求实例（假设 <code class="docutils literal notranslate"><span class="pre">rgwcrypt-user</span></code> 的 Keystone ID 是
<code class="docutils literal notranslate"><span class="pre">906aa90bd8a946c89cdff80d0869460f</span></code> ）：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">PUT</span> <span class="o">/</span><span class="n">v1</span><span class="o">/</span><span class="n">secrets</span><span class="o">/</span><span class="n">d1e7ef3b</span><span class="o">-</span><span class="n">f841</span><span class="o">-</span><span class="mi">4</span><span class="n">b7c</span><span class="o">-</span><span class="mi">90</span><span class="n">b2</span><span class="o">-</span><span class="n">b7d90ca2d723</span><span class="o">/</span><span class="n">acl</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span>
<span class="n">Host</span><span class="p">:</span> <span class="n">barbican</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="p">:</span><span class="mi">9311</span>
<span class="n">Accept</span><span class="p">:</span> <span class="o">*/*</span>
<span class="n">Content</span><span class="o">-</span><span class="n">Type</span><span class="p">:</span> <span class="n">application</span><span class="o">/</span><span class="n">json</span>
<span class="n">X</span><span class="o">-</span><span class="n">Auth</span><span class="o">-</span><span class="n">Token</span><span class="p">:</span> <span class="mi">7</span><span class="n">f7d588dd29b44df983bc961a6b73a10</span>
<span class="n">Content</span><span class="o">-</span><span class="n">Length</span><span class="p">:</span> <span class="mi">101</span>

<span class="p">{</span>
    <span class="s2">&quot;read&quot;</span><span class="p">:{</span>
    <span class="s2">&quot;users&quot;</span><span class="p">:[</span> <span class="s2">&quot;906aa90bd8a946c89cdff80d0869460f&quot;</span> <span class="p">],</span>
    <span class="s2">&quot;project-access&quot;</span><span class="p">:</span> <span class="n">true</span>
    <span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<p>响应：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">{</span><span class="s2">&quot;acl_ref&quot;</span><span class="p">:</span> <span class="s2">&quot;http://barbican.example.com:9311/v1/secrets/d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723/acl&quot;</span><span class="p">}</span>
</pre></div>
</div>
</section>
<section id="ceph">
<h2>配置 Ceph 对象网关<a class="headerlink" href="#ceph" title="Permalink to this heading"></a></h2>
<p>编辑 Ceph 配置文件，让 Barbican 作为 KMS 、并且加上
Barbican 服务器和 Keystone 用户的信息：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">rgw</span> <span class="n">crypt</span> <span class="n">s3</span> <span class="n">kms</span> <span class="n">backend</span> <span class="o">=</span> <span class="n">barbican</span>
<span class="n">rgw</span> <span class="n">barbican</span> <span class="n">url</span> <span class="o">=</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">barbican</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="p">:</span><span class="mi">9311</span>
<span class="n">rgw</span> <span class="n">keystone</span> <span class="n">barbican</span> <span class="n">user</span> <span class="o">=</span> <span class="n">rgwcrypt</span><span class="o">-</span><span class="n">user</span>
<span class="n">rgw</span> <span class="n">keystone</span> <span class="n">barbican</span> <span class="n">password</span> <span class="o">=</span> <span class="n">rgwcrypt</span><span class="o">-</span><span class="n">password</span>
</pre></div>
</div>
<p>如果用的是 Keystone API v2:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">rgw</span> <span class="n">keystone</span> <span class="n">barbican</span> <span class="n">tenant</span> <span class="o">=</span> <span class="n">rgwcrypt</span>
</pre></div>
</div>
<p>如果用的是 API v3:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">rgw</span> <span class="n">keystone</span> <span class="n">barbican</span> <span class="n">project</span>
<span class="n">rgw</span> <span class="n">keystone</span> <span class="n">barbican</span> <span class="n">domain</span>
</pre></div>
</div>
</section>
</section>



<div id="support-the-ceph-foundation" class="admonition note">
  <p class="first admonition-title">Brought to you by the Ceph Foundation</p>
  <p class="last">The Ceph Documentation is a community resource funded and hosted by the non-profit <a href="https://ceph.io/en/foundation/">Ceph Foundation</a>. If you would like to support this and our other efforts, please consider <a href="https://ceph.io/en/foundation/join/">joining now</a>.</p>
</div>


           </div>
           
          </div>
          <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
        <a href="../keystone/" class="btn btn-neutral float-left" title="与 OpenStack Keystone 对接" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
        <a href="../vault/" class="btn btn-neutral float-right" title="HashiCorp Vault Integration" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>&#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).</p>
  </div>

   

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>